Topic: Thoughts on the compromise of Casascius coin holograms (Read 6190 times)

This would work, it's just like signing over a check to a third party by endorsing it on the back and then handing it over to the third party.

Easy peasy. I take Mike's signed document, append text after his signature that identifies the new buyer, and sign the whole thing with my key.

For sake of illustration, Mike's original document is in blue, and mine is in red.

---Begin PGP doc---
- ---Begin PGP doc---

I, Mike Caldwell, sent coins a,b,c to nubbins,
and his PGP fingerprint is ABCD EFGH.

See attached document scanned-coins.pdf
with MD5 checksum blahblah

- ---Begin PGP sig---
234C%#@4fv524 <---PGP signature for Mike's key
- ---End PGP sig---

I, nubbins, sent coin b to zipmaster,
and his PGP fingerprint is IJKL MNOP.

---Begin PGP sig---
@%$Y#H/Rgef4e <---PGP signature for my key (ABCD EFGH)
---End PGP sig---

Then I just take this block of text and scanned-coins.pdf and send them along to the new owner.

Nubbins, how did you extend the chain of custody on your coin?

Of all the coins I've sold (and there have been many), only ONE buyer has taken me up on the offer to extend the chain of custody.

Bank or not, what you're asking him to do is pour tens of thousands of dollars and countless hours of effort into something that most people don't even want.

Buyers who want a chain of custody can find a seller that provides it -- I can think of several off the top of my head. Buyers who don't want a chain of custody can carry on as usual. It's not Mike's responsibility to track down every coin he's sold through a labyrinth of ownership in order to provide a service that most people don't care about.

Mike, I disagree. You wouldn't be performing the role of a bank. Guaranteeing the chain of ownership of the coins is a logical extension of your "trust in Mike Caldwell" product. Furthermore, following with the educational philosophy, you'd be incentivizing people to accept and understand the fundamental concept of a digital signature: a "technology" foundational to the premise of bitcoin itself.

Keep in mind that the purpose of a Casascius Coin is an educational tool and functional proof of concept, aside from the collectible the market has decided it also is... and not intended to be money or a currency.  Although "trust in Mike Caldwell" is an important element of my product, the trust extends to my assertion that the coin contains the only copy of the correct private key as promised (and that I've taken adequate steps to ensure the keys are unreproducible, sufficiently random, and not duplicated).  I'm not a bank, and I feel implementing a system like that is far out of scope of my project.

Mike, I feel like the best thing to do would be to implement on your website a proof of ownership system of the coins.

All coins should also list a Mike Caldwell signed PGP key of their original buyer. When an original coin owner then sells his coins to someone else, they can sign the PGP key of the new buyer and have the site be updated with the new owner's PGP key.

This won't help against tampering of Casascius coins per se but would certainly render counterfeiting impossible since, for a given coin address, it is impossible to know what the private key of the real owner is. Ultimately, only Mike could counterfeit the coins.

This doesn't eliminate trust. What it does is keep trust over Casascius coins what it has always been: trust in Mike Caldwell.

It would certainly be a hassle to implement this mechanism for past coins since all original owners would have to be contacted and, furthermore, some coins have already traded hands so people would have to play catch-up on the PGP chain. However, the hassle would be very much worthwhile to many proud Casascius owners.

Furthermore, the whole mechanism could be automated on the website so that any coin sales can update the PGP chain. Within this framework, new buyers would conclude a sale by having their PGP key signed by the coin's previous owner and updated on the website.

This should seriously be taken under consideration for the benefit of both your business and the overall Casascius community. 

I think the publicized hack adds uncertainty to a buyer's mind. So I would think the average price (in BTC) of resold coins will creep down a bit, more so with the coins that show the least evidence of tampering. It will be interesting to see.

I am attracted to Casascius coins as a longterm collectible, and as a very cool physical embodiment of the idea of Bitcoin. I don't plan on selling the couple I own, at least not in the near future. But if I were sitting on a lot of coins with the intention of selling them, I would not be happy about an additional perceived risk in the minds of buyers that the coins could be drained of value after they were purchased.

Another concern I have for the coins is that someone will simply create great duplicates of the holographic stickers. If people can counterfeit governmental currencies, I assume they can counterfeit one of these stickers.

Don't use physical BTC - that was never the intention..   

Johnnie,

with sellers potentially having the means to discover the inner code, one could:
-Extract and record that information
-Sell the coin with the bits intact
-Redeem the coin's Bitcoins, after having sold the coin

Buyers will not purchase a coin just to instantly redeem it, so they could pull that trigger minutes, or months afterwards.

The tampering is evident, so one can still buy safely. It just requires more work, and my guess is that for those coins in a 'vulnerable' state, this will lead to a decrease in demand (because it is more of a pain to obtain them), and this will result in a decrease in premiums obtained for those coins.  I further speculate that those would-be-buyers are more likely to find an equivalent buy, than to give up and buy nothing.  If I were still looking to obtain more of the rare, collectible coins, I would shop exclusively from:
-Sellers, with an established web of trust, asserting a chain of custody through only trusted sellers.
-Coins sealed (ANACS graded) prior to known tamper-evident-trick.
-Coins graded post-tamper-trick, calling out the authenticity of the coin.

The first means that each sale will make the subsequent resale harder, as the custodial chain becomes longer.
The second is a pretty tiny club (of which I believe you are a fellow member, Mr. Walker!)
The third will first require ANACS to be educated on how to identify the tampering/exploit. This is not a guarantee, but given my conversations with them around the Casacius error, I think they'll be amenable to this.

So I see this being non-impactful to the majority of the coins out there, I do anticipate this will have effects on the higher end collectible market.  Guess we'll see!

Being a numismatist, it is VERY easy to recognize a fake coin. The same would apply here. Casascius was smart enough to plan ahead-his coins (like the laser-cut holograms) have distinct features.

Also, I don't know if I'm missing something, but what about just confirming via FirstBits?

Back in May I was able to remove and re-apply holographic stickers from a paper wallet, as mentioned here:
https://bitcointalksearch.org/topic/m.2031469

Perhaps naively, I viewed my hack (similarly based on a particular solvent) as trivial, and convinced myself that Casascius coins must have been tested against this vulnerability.

Euro and dollar bills are similarly compromised by counterfeiting. The difference today is in the threat of ugly and violent consequences for the perpetrators. Not that I am implying Mike should take action, but...

As pointed out above, if chain of custody can be ascertained with sufficient trust, old Casascius coins are still functional.

Secondary PGP-signing of the PDF would be great! The pictures are a great addition, as well, as they would clearly show the old holograms.

It would be easy to do but hard for the user to verify, only because when you copy text from PDF to the clipboard, how it looks when you paste it is a crapshoot, and it must be perfect to verify properly.  But I could secondarily PGP-sign the entire (Adobe-signed) PDF file as a binary (creating a separate signature file that GPG recognizes)

Signing PDFs also allows for easy signing of the embedded photos.  I have scanned all of the silver coins and most of the recent brass coins.

I'm not too familiar with PDF signing, but that sounds like it would be more accessible to non-technical people. Would it be too much of a reach to generate a PGP-signed message and have that placed into a signed PDF?

I'd be more than happy with one signed document per roll, listing the coins contained therein. I can envision silkscreening some nice certificates of authenticity with the PGP-signed messages, reminiscent of old 19th century bearer bonds

Given that the final count of 0.5s with series 2 holograms is apparently only 45(!), I'm quite eager to get the "stamp of approval" on them!

I can also digitally sign PDF, which Adobe Acrobat will recognize and validate without any hassle to the user.  May come in handy.  Though it's a paid hardware signing module that is not really that suitable for signing batches of documents in bulk, it remains an option for one-off requests.

This will get better when my coins fit the stickers better.  Either new stickers at a smaller diameter, or coins without the little cross hatches.

When I place the sticker, the cross hatches curl the sticker up.  The laser obliterates the contact point, but the curled portion doesn't reliably settle on to the coin.

If I decide on lasering as a permanent thing I do to all the coins, stickers that properly fit the coins won't be so delicate.

The laser cut edge on the holograms for the silver coins is incredibly fragile, I suspect the exploit method would leave noticeable evidence.

On the flip-side, there are plenty of imperfections in the laser cut edge as well which could make it easier to conceal the tampering,  so we won't know for sure until somebody tries.

Everyone just needs to chill out. If a coin is TRULY untouched and mint, a buyer can just request very high res images and even the most careful tampering risks leaving 'some' mark. All this really does is make the true mint condition high value coins and 2-fac bars more valuable.

Also, everything mentioned in the hack can be thwarted by the manufacturer for example adding a thin layer of epoxy or liquid plastic to new coins sold, making it virtually impossible to 'crack' with any solution combination.

EDIT: This was originally a long post trying to clarify I was talking about my assumed impact to the collectible aftermarket, and not the coins in general.  But I since read that formally speaking, this was not an exploit, as the tampering was evident.  Now, I used 'exploit' all over in that post, and re-writing it to be appropriate would have mangled it.  The last thing I want to do is mislead people or create confusion, especially around a product with such great support.

(see http://casascius.wordpress.com/2013/08/04/def-con-21-preliminary-results-from-sunday/ for a great example of this.)

Thanks for your tireless support and advancement of Bitcoin, Mike.